Hi, Simon Josefsson <[EMAIL PROTECTED]> writes:
> [EMAIL PROTECTED] (Ludovic Courtès) writes: >> I was not expecting such behavior, though. Roughly, I had copied my >> OpenPGP example (where `GNUTLS_CERT_REQUIRE' worked fine) and replaced >> "openpgp" with "x509". The fact that we need to specify a trust file in >> X.509 and not in the OpenPGP case for `GNUTLS_CERT_REQUIRE' to work >> creates a slight asymmetry. > > I think the asymmetry can be traced back to the protocols. Certificate > requests with X.509 requires that the user cert matches the CA cert, but > with OpenPGP such a check isn't applicable. Right. > I don't know whether it is OK for a client to send a X.509 client cert > that doesn't match one of the authorities sent by the server. Maybe > that should be possible? Sections 7.4.4 and 7.4.6 of RFC 4346 do not mention it explicitly, but they seem to imply that a "suitable" certificate is one that matches the "known roots and [...] desired authorization space" specified in the `certificate_authorities' field of the certificate request. Thanks, Ludovic. _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
